Single ECDH Curve for forward secrecy
rieckers+freeradius-devel at uni-bremen.de
Fri Jan 31 10:39:10 CET 2020
I'm currently doing some research with the TLS client and server
implementations in EAP-TLS.
I have noticed, that Freeradius forces usage of one specific curve for
ECDH Key Exchange. Is there a specific reason for that?
( set_ecdh_curve in src/main/tls.c )
The standard is "prime256v1", which seems to be a good default, since
this curve is always in the SupportedGroups extension of the Client TLS
Hello. (For all clients I've seen so far)
But I'd like to change the default to something like X25519 and fall
back on others when this is not possible.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Freeradius-Devel